I use ProxyCommand with the intention of avoiding ssh agent forwarding. Today I noticed that Gnome was starting ssh-agent, which I'm trying to avoid using so I disabled it. I'd like to not have the agent running so I can't accidentally start forwarding it if I'm ever careless with setup/config of the ssh client. I'm a consultant and one of the very worst nightmares is that someone co-opt my credentials to do bad things, making it look like I did bad things and costs me business or even causes me to get sued. The present case where I hit this problem is configured as show below. I've determined that it's not even the ProxyCommand that is requiring ssh-agent. Below is the anonymized bastion config from my ~/.ssh/config (actually its included from a customer specific directory ~/clients/foo/secrets/ but this all worked previously so there should be no problem there)
Host bastion HostName xxx.xxx.xxx.70 User ubuntu IdentityFile ~/clients/foo/secrets/bastion.key IdentitiesOnly yes ForwardAgent no When I do
ssh bastion -vvv It stalls out at:
debug1: Found key in /home/gus/.ssh/known_hosts:67 debug3: send packet: type 21 debug2: set_newkeys: mode 1 debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: receive packet: type 21 debug1: SSH2_MSG_NEWKEYS received debug2: set_newkeys: mode 0 debug1: rekey after 134217728 blocks This post on Ask Different identifies that as a "waiting for agent" problem. I'm on Ubuntu 18.04, but I assume the same error messages indicate the same problem regardless. Unfortunately, that answer focuses on fixing/enabling the agent, and I want to run without it so it can't ever get forwarded and subsequently abused.
How do I convince ssh to use the key from the config and not ask the agent for keys. Note that this connection worked fine before I killed the ssh-agent and removed it from Gnome startup. And the only thing I have added since (to no apparent effect) is the ForwardAgent line. Note that I've logged out and logged back in to ensure that there's no issue with a zombie process that came from killing the agent initially and verified that the only process running with ssh in the name is sshd (which is expected and should be unrelated).
For reference the next hop will look like this:
Host target HostName xxx.xxx.xxx.152 user ubuntu IdentityFile ~/clients/foo/secrets/target.key IdentitiesOnly yes ForwardAgent no ProxyCommand ssh -W %h:%p bastion And previously that was working fine too such that ssh target asked me for successive pass-phrases for each machine and then logged me into target.
EDIT: starting ssh-agent does let me in again but that's not what I'm looking for. The failed attempts leave only Connection closed by xxx.xxx.xxx.xxx port YYYY [preauth] in auth.log.
ssh -a ubuntu@bastion -i ~/clients/foo/secrets/bastion.key? -Also, what does the log on the bastion-host say when you connect?